Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Initial Setup by markdmac
Posted: 5 May 11 (Edited 8 Aug 11)

MARKDMAC's SBS 2011 Extra Configuration Steps

This FAQ provides guidance on extra steps you should take when setting up SBS 2011.  Some sections should be evaluated while other should be done on all installs.  Those items I consider mandatory are listed as All Installs.

A.    Check Old Database Size and Set Registry on New Server: All Installs
B.    Enable DHCP Conflict Detection: All Installs

         A.    Open DHCP, right click the IPv4 protocol.
         B.    Choose properties.  
         C.    Click the Advanced tab.  
         D.    Change the number of conflict checks from zero to one.

C.    Discuss what computers belong to what users for RWW: All Installs

         Gather workstation list and setup RWW defaults.

D.    Discuss Implementing Restricted Groups With Customer: All Installs

         Enabling restricted groups allows us to restrict who is a local admin and prevents users from creating backdoor admin accounts.  Any account added to a PC will be automatically deleted if it is not part of the Restricted Groups list.
To enable restricted groups:
1.    Open GPMC and create and link a new GPO at the top level of the domain.
2.    Edit the GPO.
3.    Right click the top most link in the GPO and choose Properties.
4.    Click the Security tab.
5.    Remove all entries related to users.  Leave Domain Admins in place.
6.    Add Domain Computers and check the box for Apply policy.  
7.    In the list, select Domain Controllers and check the box for Deny policy.
8.    Click OK
9.    Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group.
10.    Click Browse. Focused on the local computer, click the  "Administrators" group, click ADD, and then click OK. You are returned to the group policy and you see the administrators group listed in the Restricted Groups window.
11.    Right-click the group, and then click Security.
12.    To the right side of the Members of this Group box, click ADD, and then click Browse.
13.    Add the appropriate users to the group.  For domain accounts use the browse button to ensure the domain name is included.  For the local Administrator ID, type Administrator.  Add:
•    UserDomain\Domain Admins
•    UserDomain\Domain Users (if appropriate)
•    Administrator

E.     Install Specops GPUpdate utility: All Installs

This free utility lets you reboot computers and remotely push a GPUpdate from ADUC.

F.    Remove Quota Limits on Public and Private Stores: All Installs

Discuss with client and remove or adjust quota limits on databases.

Recommendation: Remove on public folders.

Use PowerShell to remove quotas for users before the move:
get-mailbox | Set-Mailbox -UseDatabaseQuotaDefaults:$False -issuewarningQuota "UNLIMITED" -ProhibitSendQuota "UNLIMITED" -ProhibitSendReceive "UNLIMITED"

G.    Moving public folders and System Mailboxes

1)    Assign Rights To Public Folders:

Get-PublicFolder -Recurse -Server SBS7 -Identity "\" | Get-PublicFolderClientPermission -Server 'servername.companyname.local' -User 'Companyname.local/Users/Administrator' | Remove-PublicFolderClientPermission -Server 'servername.companyname.local'

Get-PublicFolder -Recurse -Server SBS7 -Identity "\"| Add-PublicFolderClientPermission -Server 'servername.companyname.local' -User 'Companyname.local/Users/Administrator' -AccessRights 'Owner'

2)    Manage Replicas:

.\AddReplicaToPFRecursive.ps1 -Server OLDSERVERNAME -TopPublicFolder "\" -ServerToAdd NEWSERVERNAME
.\RemoveReplicaFromPFRecursive.ps1 -Server NEWSERVERNAME -TopPublicFolder "\" -ServerToRemove OLDSERVERNAME

3)    Move the arbitration mailboxes:
Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest

Get-Mailbox -Database 'Old Database' -arbitration | New-MoveRequest -TargetDatabase 'NewDatabase'

Get-MoveRequest|Select Identity, Status|FL

H.    Verify client IP has RDNS and SPF records: All Installs

Verify client IP has RDNS and SPF records.

I.    Discuss ActiveSync password policies with customer: All Installs

Discuss enabling passwords on cell phones.  Determine if passwords will be used and modify or create new policies accordingly.

J.    Assign certificate to RWW sessions: All Installs

         A.    From Administratove Tools\Remote Desktop Services select Remote Desktop Session Host Configuration.

         B.    Right click RDP-Tcp choose Properties.

         C.    On the General tab, click Select.

         D.    Select the public certificate and click OK two times.

         E.    If prompted with a notice about existing connections, click OK.

If you do not do this, RWW may not be able to remote control computers from inside the domain.

K.    Set max message size

Discuss with client, ask what the max size they want to allow should be.  Change the values in red.
Set-TransportConfig -MaxRecipientEnvelopeLimit  75MB -MaxReceiveSize 75MB -MaxSendSize 75MB

L.    Set the SCL level to configure Junk Mail threshold

         A message with SCL of 9 is likely spam
         A message with SCL of 0 is not spam

The default is 2.  That means that anything above 2 and lower than the rejection settings (Org Config/Hub Transport/Content Filtering/Action tab) which default to 7 will be sent to the Outlook Junk Mail folder.  

Use the following PowerShell command in the Exchange Management Shell.

Set-OrganizationConfig -SCLJunkThreshold 6

M.    Enable Powershell Scripts: All Installs

Open PowerShell.
Run the following command:

Set-ExecutionPolicy Unrestricted
Note: This is a security risk.  Only run scripts from sources you trust.

N.    Create internal Autodiscover in DNS: All Installs

In the MS DNS console add a new SRV record with the following:

Name: _autodiscover
Protocol: _tcp
Port: 443
Host: remote.clientdomain.com

O.    Create Autodiscover in Public DNS: All Installs

1)    Log into public DNS.
2)    Add a new A record called Autodiscover.
3)    Point Autodiscover to the public IP address of the SBS server.

Note: if DNS contains a zone for the public domain name, you must do this step internally in that zone as well, but point the IP to the internal IP address of the SBS server.

P.       Virtualize Old Media: All Installs

         In order to remove Exchange from an SBS 2003 server, you will need to have access to SBS 2003 Disk 2.  If working remotely you will need the ability to mount/change media at will.  Create ISO images from original media and leave on the old server to be used during the decommission process.
          Virtualize the disks with LCISOCreator.
          Mount the ISO with Virtual Clone Drive

The following section is only for Blackberry Enterprise Server Express (BESExpress) Installs

Setup the BESAdmin ID
•    Make an ID called BESADMIN
•    Make BESAdmin a member of Administrators Group
•    Assign the BesAdmin user "log on as a service" rights in the Default Domain Controller Policy

Run the following in Exchange Management Shell
•    Get-MailboxDatabase | Add-ADPermission -User "BesAdmin" –AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

•    Add -RoleGroupMember "View-Only Organization Management" -Member "BesAdmin"

•    Add-ADPermission -InheritedObjectType User -InheritanceType Descendents –ExtendedRights Send-As -User "BesAdmin" -Identity "OU=SBSUsers,OU=Users,OU=MyBusiness,DC=COMPANY,DC=local"

•    Get-ThrottlingPolicy | Where-Object {$_.IsDefault -eq "True"}|Set-ThrottlingPolicy -RCAMaxConcurrency $null

Set Send/Receive As Security for Users
•    In ADUC, view Advanced Properties.  
•    View properties of the SBS Users OU.
•    Select Security.  
•    Add BESAdmin.  
•    Click Advanced.
•    Highlight BESAdmin.  
•    Click Edit.  
•    Select Descendant User Objects in the drop down.
•    Check the boxes for SendAs and ReceiveAs.
•    Click OK 3 times.

Install the Exchange MAPI CDO 1.2.1 package

Now perform a default installation of the BESExpress Software.

After BESExpress is installed, enable the Hard Deletes Setting:
•    Log into the BlackBerry Administration Service.
•    In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view > Email.
•    Click the instance that you want to change.
•    Click Edit instance.
•    On the Messaging tab, in the Messaging options section, in the Hard deletes reconciliation drop-down list, click True.
•    Click Save all.
•    On the computer that hosts the BlackBerry Dispatcher, restart BlackBerry Dispatcher service.


Back to Microsoft: Windows servers FAQ Index
Back to Microsoft: Windows servers Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close